Reflected Cross-Site Scripting Vulnerability in URL Shortify Plugin for WordPress
CVE-2025-13355

7.1HIGH

Key Information:

Vendor

WordPress
Status
Url Shortify
Vendor
CVE Published:
15 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-13355?

The URL Shortify plugin for WordPress, prior to version 1.11.4, contains a vulnerability that fails to properly sanitize and escape a specific parameter before rendering it on the web page. This oversight can lead to a reflected cross-site scripting attack, potentially enabling malicious users to execute scripts in the context of high-privilege user sessions, such as administrators. Proper validation and sanitization mechanisms are crucial to mitigate this issue and protect user data.

Affected Version(s)

URL Shortify 0 < 1.11.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13355 - Proof of Concept

References

https://wpscan.com/vulnerability/8581af77-2d72-48e8-9b22-...
exploitvdb-entrytechnical-description

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gregory Allegoet
WPScan
JSON
.
CVE-2025-13355 : Reflected Cross-Site Scripting Vulnerability in URL Shortify Plugin for WordPress